rlm_exec: "multi line" attributes

Adam Bishop Adam.Bishop at ja.net
Thu Jul 3 15:03:50 CEST 2014 

On 3 Jul 2014, at 13:07, Alan DeKok <aland at deployingradius.com> wrote:
>> In my case, there are multiple SAML-AAA-Assertions in a single response, however only the last line (</saml:Assertion>) is stuffed into an environment variable.
> 
>  Hmm... the environment variables are *input* to the script, not
> output.  (i.e. reqyest, not response)

OK, so the incoming response packet looks like this:

Thread 5 handling request 7, (4 handled so far)
        MS-MPPE-Recv-Key = 0x7923d83cd3c96715a4bff2fbcd1d034b6e6bb94dab5749353fe4226bed735e30
        MS-MPPE-Send-Key = 0x84296547b891279eefdbe7aa6ea802ae2c5b2b4d6ac41e3c2557cdc61829992b
        EAP-Message = 0x03070004
        Message-Authenticator = 0x967b16a30ccb2b571dcbcbdb6014760e
        Proxy-State = 0x30
        SAML-AAA-Assertion = '<saml:Assertion xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" IssueInstant=\"2011-03-19T08:30:00Z\" ID=\"foo\" Version=\"2.0\">'
        SAML-AAA-Assertion = '<saml:Issuer>urn:mace:incommon:osu.edu</saml:Issuer>'
        SAML-AAA-Assertion = '<saml:AttributeStatement>'
        SAML-AAA-Assertion = '<saml:Attribute NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" Name=\"urn:oid:1.3.6.1.4.1.5923.1.1.1.6\"><saml:AttributeValue>cantor.2 at osu.edu</saml:AttributeValue></saml:Attribute>'
        SAML-AAA-Assertion = '<saml:Attribute NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" Name=\"urn:oid:1.3.6.1.4.1.5923.1.1.1.7\"><saml:AttributeValue>moonshot</saml:AttributeValue></saml:Attribute>'
        SAML-AAA-Assertion = '</saml:AttributeStatement>'
        SAML-AAA-Assertion = '</saml:Assertion>'

I’ve replaced my exec call with just a bare test script executed in outer:post-auth which exhibits the same behaviour, configured as follows:

  exec capture_env {
          wait = yes
          input_pairs = reply
          shell_escape = yes
          output = none
          timeout = 10
          program = "/usr/bin/env bash /capture_env.sh"
  }

Which doesn’t look very exciting in the debug view:

  (7) # Executing section post-proxy from file /etc/freeradius/sites-enabled/default
  (7)   post-proxy {
  (7) eap : No pre-existing handler found
  (7)   [eap] = noop
  (7)  } #  post-proxy = noop
  (7) Found Auth-Type = Accept
  (7) Auth-Type = Accept, accepting the user
  (7) # Executing section post-auth from file /etc/freeradius/sites-enabled/default
  (7)   post-auth {
  (7) capture_env : Executing: "/usr/bin/env bash /capture_env.sh"
  (7) capture_env : Program returned code (0):
  (7) capture_env : Program executed successfully
  (7)   [capture_env] = ok
  (7)   [exec] = noop
  (7)  } #  post-auth = ok
  Sending Access-Accept of id 0 from 0.0.0.0 port 2083 to 127.0.0.1 port 46926
          MS-MPPE-Recv-Key = 0xec6086dfcae07113a83ae5e6c081194ee4047178ae237211eb754c179badb4cc
          MS-MPPE-Send-Key = 0xc071798df0582b6f958101ee7bee59263483a19d521292e4b58df70c678050f2
          EAP-Message = 0x03070004
          Message-Authenticator = 0xefba14413482d0131b8ec61397b822d4
          SAML-AAA-Assertion = '<saml:Assertion xmlns:saml=\"urn:oasis:names:tc:SAML:2.0:assertion\" IssueInstant=\"2011-03-19T08:30:00Z\" ID=\"foo\" Version=\"2.0\">'
          SAML-AAA-Assertion = '<saml:Issuer>urn:mace:incommon:osu.edu</saml:Issuer>'
          SAML-AAA-Assertion = '<saml:AttributeStatement>'
          SAML-AAA-Assertion = '<saml:Attribute NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" Name=\"urn:oid:1.3.6.1.4.1.5923.1.1.1.6\"><saml:AttributeValue>cantor.2 at osu.edu</saml:AttributeValue></saml:Attribute>'
          SAML-AAA-Assertion = '<saml:Attribute NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:uri\" Name=\"urn:oid:1.3.6.1.4.1.5923.1.1.1.7\"><saml:AttributeValue>moonshot</saml:AttributeValue></saml:Attribute>'
          SAML-AAA-Assertion = '</saml:AttributeStatement>'
          SAML-AAA-Assertion = '</saml:Assertion>'

The script itself just writes `env` to a text file, which only has the final line stored:

  # cat /parse-saml.sh
      #! /usr/bin/env bash
      
      env > /tmp/test.txt

  # cat /tmp/test.txt
      MS_MPPE_SEND_KEY=0x84296547b891279eefdbe7aa6ea802ae2c5b2b4d6ac41e3c2557cdc61829992b
      MESSAGE_AUTHENTICATOR=0x967b16a30ccb2b571dcbcbdb6014760e
      EAP_MESSAGE=0x03070004
      SAML_AAA_ASSERTION="</saml:Assertion>"
      PWD=/etc/freeradius
      SHLVL=1
      MS_MPPE_RECV_KEY=0x7923d83cd3c96715a4bff2fbcd1d034b6e6bb94dab5749353fe4226bed735e30
      _=/usr/bin/env

Interestingly, some double quotes have found their way into the environment variable too.

Regards,

Adam Bishop

  gpg: 0x6609D460

Janet, the UK's research and education network.


Janet(UK) is a trading name of Jisc Collections and Janet Limited, a 
not-for-profit company which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238

More information about the Freeradius-Users mailing list